b'Report No. DODIG-2013-061            March 27, 2013\n\n\n\n\n   Improvements Needed to the Purchase Card On-Line\n                      System\n\x0cAdditional Copies\nTo obtain additional copies of this report, visit the Department of Defense Inspector\nGeneral website at http://www.dodig.mil/pubs/index.cfm, or contact the Secondary\nReports Distribution Unit at auditnet@dodig.mil.\n\nSuggestions for Audits\nTo suggest or request audits, contact the Office of the Deputy Inspector General for\nAuditing at auditnet@dodig.mil or by mail:\n\n                      Department of Defense Office of Inspector General\n                      Office of the Deputy Inspector General for Auditing\n                      ATTN: Audit Suggestions/13F25-04\n                      4800 Mark Center Drive\n                      Alexandria, VA 22350-1500\n\n\n\n\nAcronyms and Abbreviations\nA/BO                          Approving/Billing Official\nDMRA                          Data Mining and Risk Assessment\nDPAP                          Defense Procurement and Acquisition Policy\nGPC                           Government Purchase Card\nPCOLS                         Purchase Card On-Line System\nPCPO                          Purchase Card Policy Office\nU.S.C.                        United States Code\n\x0c                                    INSPECTOR GENERAL\n                                     DEPARTMENT OF DEFENSE\n                                     4800 MARK CENTER DRIVE\n                                  ALEXANDRIA, VIRGINIA 22350-1500\n\n\n\n\n                                                                                  March 27, 2013\n\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR ACQUISITION,\n                 TECHNOLOGY, AND LOGISTICS\n\nSUBJECT: Improvements Needed to the Purchase Card On-Line System (Report No. DODIG-\n          2013-061)\n\nWe are providing this report for your information and use. No written response to this report\nwas required, and none was received. However, informal comments from management on a\ndiscussion draft were considered in preparing the report. We are publishing this report in final\nform. The Director of Program Development and Implementation, Defense Procurement and\nAcquisition Policy, Office of the Under Secretary of Defense (Acquisition, Technology, &\nLogistics), requested this audit. Our objective was to determine whether Department of Defense\nApproving/Billing Officials adequately reviewed transactions that the Purchase Card On-Line\nSystem referred for being at-risk of noncompliance with applicable laws and criteria.\n\nNeither we nor the Defense Procurement and Acquisition Policy could use the Purchase Card\nOn-Line System to assess and determine whether DoD Approving/Billing Officials adequately\nreviewed 32,690 transactions that the system referred (during the period January through\nJune 2012) as being at-risk of noncompliance with applicable laws and criteria, including lost\nand stolen cards.\n\nWhen we requested information to conduct the audit, the Defense Procurement and Acquisition\nPolicy office became aware the automated system lacked the capability to produce the data\nneeded to complete the assessment of the Approving/Billing Officials\xe2\x80\x99 reviews and initiated\nactions to improve the Purchase Card On-Line System. Thus, we are not making any\nrecommendations in this report.\n\nWe appreciate the courtesies extended to the staff. Please direct questions to me at\n(703) 601-5945.\n\n\n\n\n                                             Lorin T. Venable, CPA\n                                             Acting Assistant Inspector General\n                                             DoD Payments and Accounting Operations\n\x0c\x0cReport No. DODIG-2013-061 (Project No. D2012-D000DC-0200.000)                March 27, 2013\n\n\n              Results in Brief: Improvements Needed to\n              the Purchase Card On-Line System\n                                                       As a result, the automated system cannot be\nWhat We Did                                            employed for oversight reviews, such as\nThe Director of Program Development and                assessments of Approving/Billing reviews and\nImplementation, Defense Procurement and                disposition of at-risk transactions.\nAcquisition Policy, Office of the Under\nSecretary of Defense (Acquisition, Technology,         Because of the information we requested to\n& Logistics), requested this audit. Our                conduct the audit, the Defense Procurement and\nobjective was to determine whether Department          Acquisition Policy became aware the automated\nof Defense Approving/Billing Officials                 system lacked the capability to produce the data\nadequately reviewed transactions that the              needed to complete the assessment of the\nPurchase Card On-Line System referred for              Approving/Billing Officials\xe2\x80\x99 reviews and\nbeing at-risk of noncompliance with applicable         initiated actions to improve the Purchase Card\nlaws and criteria. In addition, we were to             On-Line System. Thus, we are not making any\ndetermine whether Department of Defense                recommendations in this report.\nApproving/Billing Officials adequately\nreviewed cases in which they identified cards as       Management Comments and\nlost or stolen.                                        Our Response\n                                                       We do not require a written response to this\nWhat We Found                                          report.\nNeither we nor the Defense Procurement and\nAcquisition Policy could use the Purchase Card\nOn-Line System to assess and determine\nwhether DoD Approving/Billing Officials\nadequately reviewed 32,690 transactions that the\nsystem referred (during the period January\nthrough June 2012) as being at-risk of\nnoncompliance with applicable laws and\ncriteria, including lost and stolen cards.\n\nThis occurred because the automated system:\n\n   \xe2\x80\xa2   did not contain sufficient capability to\n       automatically retrieve and match the\n       case disposition reviews with the\n       universe of the at-risk Government\n       Purchase Card transactions, and\n   \xe2\x80\xa2   was unable to archive case history file\n       data, which were maintained in a\n       separate data warehouse.\n\n\n\n\n                                                   i\n\x0cReport No. DODIG-2013-061 (Project No. D2012-D000DC-0200.000)       March 27, 2013\n\nRecommendations Table\n\n                  Management                      Recommendations Requiring Comment\nDirector of Program Development and               None\nImplementation, Defense Procurement and\nAcquisition Policy (DPAP), Office of the Under\nSecretary of Defense (Acquisition, Technology &\nLogistics)\n\n\n\n\n                                             ii\n\x0cTable of Contents\n\nIntroduction                                                              1\n\n      Objectives                                                          1\n      Government Purchase Card Audit Requirements                         1\n      Review of Internal Controls                                         2\n\nFinding. Adequacy of Data Availability                                    3\n\n      Audit Request                                                       3\n      Defense Procurement and Acquisition Policy Improving the Purchase\n             Card On-Line System To Permit Added Oversight                5\n      Summary                                                             6\n\nAppendix. Scope and Methodology                                           7\n\n      Use of Computer-Processed Data                                      7\n      Prior Coverage                                                      7\n\x0c\x0cIntroduction\nObjectives\nThe Director of Program Development and Implementation, Defense Procurement and\nAcquisition Policy (DPAP), Office of the Under Secretary of Defense (Acquisition,\nTechnology & Logistics), requested this audit. Our objective was to determine whether\nDoD Approving/Billing Officials (A/BOs) adequately reviewed transactions that the\nPurchase Card On-Line System (PCOLS) referred for being at-risk of noncompliance\nwith applicable laws and criteria. In addition, we were to determine whether DoD A/BOs\nadequately reviewed cases in which they identified cards as lost or stolen. See the\nAppendix for the scope and methodology related to the objective.\n\nGovernment Purchase Card Audit Requirements\nSection 2784, title 10, United States Code (10 U.S.C. \xc2\xa7 2784) establishes the Government\nPurchase Card (GPC) Program for the Department of Defense. Section 2784 requires the\nDoD Office of Inspector General to perform periodic audits of the DoD GPC Program to\nidentify the following:\n\n   \xe2\x80\xa2   potentially fraudulent, improper, and abusive use of purchase cards;\n   \xe2\x80\xa2   patterns of improper cardholder transactions, such as purchases of prohibited\n       items; and\n   \xe2\x80\xa2   categories of purchases that should be made by means other than the GPC to\n       better aggregate purchases and obtain lower prices.\n\nFurthermore, section 2784 requires DoD to use \xe2\x80\x9ceffective systems, techniques, and\ntechnologies to prevent or identify potential fraudulent purchases.\xe2\x80\x9d\n\nDoD Office Responsible for the Government Purchase\nCard Program\nThe DPAP was responsible for oversight and issuing policy for the DoD GPC Program.\nTo assist DoD with internal control and policy compliance, the DPAP awarded a contract\nfor the development of a Data Mining and Risk Assessment (DMRA) applications as part\nof an automated system, the PCOLS, to examine transactions and identify those that were\nat-risk of being noncompliant with laws and other criteria. DoD began deployment of the\nPCOLS Data Mining and Risk Assessment modules during the 2nd Quarter of FY 2009 at\none Air Force location, the Defense Contract Management Agency, the Defense Logistics\nAgency, and the Washington Headquarters Services and that deployment continues. As\nof February 6, 2013, the PCOLS Data Mining and Risk Assessment module contract ceiling\namount was $14.4 million.\n\n\n\n\n                                           1\n\x0cThe Purchase Card On-Line System\nThe DPAP developed the PCOLS to improve controls over the use of the GPC program\nby using a data mining process to identify potentially improper GPC transactions. The\nPCOLS suite of applications consists of the following modules:\n\n           \xe2\x80\xa2   Enterprise Monitoring and Management of Accounts,\n           \xe2\x80\xa2   Authorization, Issuance, and Maintenance,\n           \xe2\x80\xa2   Data Mining,\n           \xe2\x80\xa2   Risk Assessment, and\n           \xe2\x80\xa2   PCOLS Reporting.\n\nThe Enterprise Monitoring and Management of Accounts module and the Authorization,\nIssuance, and Maintenance module were administrative modules. The Data Mining\nmodule contained a mining feature that was capable of reviewing 100 percent of the\npurchase card transactions to provide near real-time transaction monitoring. As part of\nthe function of the DMRA modules, each transaction was assigned a Risk Predictive\nModel score that identified the risk of impropriety for each transaction. Selected\ntransactions with a high Risk Predictive Model score and randomly selected transactions\nwere flagged for management review.\n\nUnder the DMRA operations concept, the primary or the alternate A/BOs, who received a\nnotification e-mail, were to review each of the flagged transactions. The A/BOs were to\ndetermine the validity of the transaction. With every flagged transaction, the A/BOs\nwere to answer a minimum of nine questions, such as whether the transaction was a split\ntransaction or a prohibited item. This review process was termed \xe2\x80\x9ccase review.\xe2\x80\x9d After\nthe case review, the A/BO would complete a \xe2\x80\x9ccase disposition\xe2\x80\x9d to categorize the\ntransaction as valid, administrative discrepancy, misuse, suspected fraud, lost, or stolen.\nAlso, the GPC transactions that the DMRA identified as \xe2\x80\x9chigh risk\xe2\x80\x9d transactions were to\nundergo an independent review by the responsible Agency/Organization Program\nCoordinator. Recently, DPAP decided to migrate the Risk Assessment functionality to\nthe Reporting Module.\n\nReview of Internal Controls\nDoD Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control Program (MICP) Procedures,\xe2\x80\x9d\nJuly 29, 2010, requires DoD organizations to establish a management internal control\nprogram to identify and promptly correct ineffective internal controls and establish\ninternal controls when warranted. We identified an internal control weakness: PCOLS\ndid not contain a sufficient capability to automatically retrieve and match the case\ndispositions\xe2\x80\x99 reviews with the data on the at-risk GPC transactions. During the audit, the\nDPAP was taking actions to correct the weaknesses. We will provide a copy of the report\nto the senior official responsible for internal controls in the DPAP.\n\n\n\n\n                                            2\n\x0cFinding. Adequacy of Data Availability\nNeither we nor the Defense Procurement and Acquisition Policy could use the PCOLS\nSystem to assess and determine whether DoD A/BOs adequately reviewed 32,690\ntransactions that the system referred (during the period January through June 2012) as\nbeing at-risk of noncompliance with applicable laws and criteria, including lost and\nstolen cards.\n\nThis occurred because the PCOLS:\n\n    \xe2\x80\xa2   did not contain sufficient capability to automatically retrieve and match the case\n        disposition reviews with the universe of the at-risk GPC transactions, and\n\n    \xe2\x80\xa2   was unable to archive case history file data, which were maintained in a separate\n        data warehouse.\n\nAs a result, the automated system could not be employed for oversight reviews, such as\nassessments of A/BOs reviews and dispositions of at-risk transactions.\n\nAudit Request\nOn August 24, 2012, the Director of Program Development and Implementation, DPAP,\nOffice of the Under Secretary of Defense (Acquisition, Technology & Logistics),\nrequested this audit, and we announced the audit on September 5, 2012.\n\nComplete Universe Data Availability Was Limited\nAlthough the PCOLS provided the Military Departments and Defense Agencies with\nanother oversight capability not previously available to everyone, the PCOLS capability\n                                       to allow overall assessments was limited. The\n    The PCOLS provided a data          PCOLS provided a data mining tool that identified\n      mining tool that identified      transactions that were potentially noncompliant\n       transactions that were          with applicable laws and criteria. However, since\n   potentially noncompliant with       the PCOLS was deployed in 2009, it did not have\n    applicable laws and criteria       the ability to provide the information that was\n                                       needed to resolve whether approving officials\nadequately reviewed the transactions that the PCOLS referred as being at-risk of\nnoncompliance, which was also the primary objective of this management-requested\naudit.\n\nOn October 1, 2012, the DPAP DMRA application provided 148,488 cases for\nmanagement review during the period of January 1, 2012, through June 30, 2012. The\n148,488 universe included 32,690 cases that A/BOs reviewed and closed. However, the\nremaining 115,798 cases were either still in the review process or were related to Military\nDepartments and DoD Agencies not using PCOLS. For example, the Army and Navy\nwere not fully using PCOLS for the review of at-risk transactions; however, their\ntransactions were included in the data received from the banks that provide DoD GPCs.\n\n\n                                             3\n\x0cWhen we requested information to conduct the audit, the DPAP personnel became aware\n                                    the DMRA database did not contain sufficient\n DMRA database did not contain      capability to automatically retrieve and match the\n      sufficient capability to      case disposition reviews with the universe of the\n   automatically retrieve and       at-risk GPC transactions. For management to\n   match the case disposition       perform an assessment of the A/BOs\xe2\x80\x99 review\n reviews with the universe of the   results after case disposition closure, the DMRA\n    at-risk GPC transactions        needed to match two sets of data. The DMRA\n                                    needed to match the following:\n\n    \xe2\x80\xa2   transactions referred to the A/BOs for review to the responses that the A/BOs\n        provided regarding the case, and\n    \xe2\x80\xa2   specific information that identified the transactions\xe2\x80\x99 cardholders, and other data,\n        such as locations, vendors\xe2\x80\x99 data, and time frames for the review process.\n\nFurthermore, as a result of the inability to automatically match the two sets of data, the\ndollar amount and other summary data that the A/BOs\xe2\x80\x99 cases represented were not able to\nbe retrieved in an efficient and timely manner. On October 22, 2012, DPAP personnel\nadmitted that the system could not automatically produce the information requested and\nthat obtaining this information would require a significant manual effort.\n\nHistorical PCOLS Data Were Not Being Archived in the\nData Warehouse\nThe DPAP was not aware that PCOLS Data were not being archived in a data warehouse\n                                 before our request for information to support the audit\n    PCOLS Data were not          objective. DPAP personnel stated, \xe2\x80\x9cWe were under the\n      being archived in a        impression that the requested data would be available\n        data warehouse           from the PCOLS Reporting Data Warehouse.\n                                 Unfortunately, what we found out is that it is not.\xe2\x80\x9d\nDPAP personnel also stated, \xe2\x80\x9cDPAP was unaware of deficiencies in the data warehouse\nwhen the audit commenced. The data existed but was [sic] not readily available.\xe2\x80\x9d On\nJanuary 8, 2013, DPAP personnel through e-mail explained the challenges of obtaining\nPCOLS data to support the audit:\n\n                 When DPAP requested the audit in August of 2012, the expectations were that PCPO1\n                 would be able to provide the data required for the audit through ad hoc queries run\n                 against the PCOLS data warehouse. PCPO tasked DMDC [Defense Manpower Data\n                 Center] with performing these ad hoc queries and the data made available. DMDC\n                 performed the queries and supplied the extracted data to PCPO, which, was [sic]\n                 incomplete for the scope of this audit. It is important to note that all of the data from\n                 [Data Mining] activity is [sic] transferred to the DMDC. Heretofore, only the data\n                 required for PCOLS Reporting purposes has [sic] been loaded into the PCOLS data\n                 warehouse. It was not until after close examination of the extracted data did PCPO\n\n\n\n1\n The Purchase Card Policy Office (PCPO) is part of the Program Development and Implementation\nDirectorate, Defense Procurement and Acquisition Policy, Office of the Under Secretary of Defense\n(Acquisition, Technology & Logistics) that requested the audit.\n\n\n                                                     4\n\x0c              become aware that all of the historical data was [sic] not being stored in the data\n              warehouse. The elements of this historical data were the cause of the audit data being\n              incomplete.\n\nIn addition, DPAP personnel stated:\n\n              We determined that some of the data fields that needed to be queried were not\n              permanently stored in the data warehouse. These required fields are summarily extracted\n              to worktables, calculations made to summarize the data, and then the work tables deleted.\n              The result was that the some [sic] of the historical data was [sic] not retained in the data\n              warehouse and subsequently not available for immediate retrieval.\n\nDefense Procurement and Acquisition Policy Improving\nthe Purchase Card On-Line System To Permit Added\nOversight\nDPAP personnel indicated they were making improvements that will result in retention of\nthe data necessary to assess A/BOs performance and also permit the PCOLS to be used to\nidentify trends, develop metrics, and focus on problem areas. Specifically, on\nJanuary 8, 2013, DPAP personnel e-mailed the following:\n\n              In order to ensure the ability to re-engage with your Office to complete this audit when it\n              is appropriate, and ensure efficient use of audit resources, DPAP has taken actions to\n              ensure a higher degree of audit preparedness with respect to data accessibility and system\n              architecture in the Data Mining application suite.\xe2\x80\xa6 We expect that this data to be loaded\n              into production by the end of FY 2013 Q2 and available for adhoc [sic] reporting. We\n              expect that audit specific reports to be available in production by the end of FY 2013 Q3.\n\nOther Events Affecting Data Availability\nThe DPAP personnel subsequently indicated that they were making changes to the\nPCOLS that would further affect the availability of data. Specifically, the DPAP\ncompleted moving the host for the PCOLS Data Mining module from a contractor\xe2\x80\x99s site\nto the Defense Systems Information Agency Enclave (a DoD environment) on\nJanuary 26, 2013. The DPAP expected the move would add to the delay in obtaining\ndata.\n\nThe DPAP personnel expected that the move to the Defense Systems Information Agency\n                                           Enclave would have a positive effect on\n     DPAP personnel expected that the\n                                           future programming and maintenance of the\n       move to the Defense Systems\n                                           Data Mining application. Additionally, the\n    Information Agency Enclave would\n                                           DPAP expected the move would instill\n           have a positive effect\n                                           tighter controls related to software\nconfiguration management and overall database support once the application was within\nthe Defense Systems Information Agency environment. Both these factors were expected\nto improve software quality and overall application quality.\n\n\n\n\n                                                  5\n\x0cSummary\nUntil DPAP personnel effectively complete their efforts to develop the methodology that\nwill allow a complete matching of case disposition information with specific GPC\ntransactions, they will not have the ability to perform an effective assessment of the\nA/BOs review process. Additionally, any audit reviews will be limited and the PCOLS\ncannot be used to the full potential for managing the GPC program.\n\nDPAP personnel recognized the deficiencies that they had in the automated system that\nwere preventing them from obtaining the data needed for effective oversight and initiated\nthe actions mentioned above to improve the PCOLS. As a result of management actions\nto be taken in the 2nd and 3rd Quarters of FY 2013, we are not making recommendations\nin this report.\n\n\n\n\n                                            6\n\x0cAppendix: Scope and Methodology\nWe conducted this performance audit from September 2012 through March 2013 in\naccordance with Generally Accepted Government Auditing Standards. However, the\nDPAP was unable to provide sufficient information to allow for selecting of an audit\nsample to review the case disposition process. The standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for the findings and conclusions we\nformed based on our audit objectives.\n\nTo determine whether A/BOs adequately reviewed transactions that the PCOLS referred\nfor being at-risk of noncompliance with applicable laws and criteria, we interviewed\nDPAP personnel concerning the PCOLS case disposition process and reviewed\napplicable criteria. Additionally, we requested the DPAP to provide the January 1, 2012,\nthrough June 30, 2012, universe of at-risk transactions referred by the PCOLS to the\nA/BOs to select a sample to review. On October 1, 2012, DPAP provided 148,488 cases\ncreated by the PCOLS to be sent to A/BOs for review during the period of January 1,\n2012, through June 30, 2012. The 148,488 cases included 32,690 cases that the A/BOs\nhad reviewed and closed. However, the remaining 115,798 cases were either still in the\nreview process or were related to Military Departments and DoD Agencies not utilizing\nPCOLS. For example, the Army and Navy were not fully utilizing PCOLS for the review\nof at-risk transactions; however, their transactions were included in the data PCOLS\nreceived from the banks and at-risk cases were created in PCOLS.\n\nHowever, because of the PCOLS\xe2\x80\x99s system limitations, the DPAP was unable to provide\nsufficient information for us to review the 32,690 cases. The PCOLS did not have the\nability to automatically match the necessary data to conduct the audit including A/BOs\xe2\x80\x99\ncase disposition results matched to information that identified the specific transactions,\ncard holders, locations, vendors\xe2\x80\x99 data, and time frames for the review process.\n\nUse of Computer-Processed Data\nWe obtained computer-processed data from the DPAP in support of the audit objective.\nHowever, the PCOLS data did not contain the necessary information to conduct the audit.\nThe PCOLS did not contain A/BOs\xe2\x80\x99 case disposition results matched to information that\nidentified the specific transactions, card holders, locations, vendors\xe2\x80\x99 data, and time\nframes for the review process. As a result, computer-processed data were not used to\nconduct this audit.\n\nPrior Coverage\nNo prior coverage has been conducted on the use of the Purchase Card On-Line System\nto assess and determine whether DoD A/BOs adequately reviewed transactions referred\nto them for being at-risk of noncompliance with applicable laws and criteria during the\nlast 5 years.\n\n\n\n                                             7\n\x0c\x0c'